1MERGECAP(1)                                                        MERGECAP(1)
2
3
4

NAME

6       mergecap - Merges two or more capture files into one
7

SYNOPSIS

9       mergecap [ -a ] [ -F <file format> ] [ -I <IDB merge mode> ]
10       [ -s <snaplen> ] [ -V ] -w <outfile>|- <infile> [<infile> ...]
11
12       mergecap -h|--help
13
14       mergecap -v|--version
15

DESCRIPTION

17       Mergecap is a program that combines multiple saved capture files into a
18       single output file specified by the -w argument. Mergecap knows how to
19       read pcap and pcapng capture files, including those of tcpdump,
20       Wireshark and other tools that write captures in those formats.
21
22       By default, Mergecap writes the capture file in pcapng format, and
23       writes all of the packets from the input capture files to the output
24       file.
25
26       Mergecap is able to detect, read and write the same capture files that
27       are supported by Wireshark. The input files don’t need a specific
28       filename extension; the file format and an optional gzip, zstd or lz4
29       compression will be automatically detected. Near the beginning of the
30       DESCRIPTION section of wireshark(1) or
31       https://www.wireshark.org/docs/man-pages/wireshark.html is a detailed
32       description of the way Wireshark handles this, which is the same way
33       Mergecap handles this.
34
35       Mergecap can write the file in several output formats. The -F flag can
36       be used to specify the format in which to write the capture file,
37       mergecap -F provides a list of the available output formats.
38
39       Packets from the input files are merged in chronological order based on
40       each frame’s timestamp, unless the -a flag is specified. Mergecap
41       assumes that frames within a single capture file are already stored in
42       chronological order. When the -a flag is specified, packets are copied
43       directly from each input file to the output file, independent of each
44       frame’s timestamp.
45
46       The output file frame encapsulation type is set to the type of the
47       input files if all input files have the same type. If not all of the
48       input files have the same frame encapsulation type, the output file
49       type is set to WTAP_ENCAP_PER_PACKET. Note that some capture file
50       formats, most notably pcap, do not currently support
51       WTAP_ENCAP_PER_PACKET. This combination will cause the output file
52       creation to fail.
53

OPTIONS

55       -a
56
57           Causes the frame timestamps to be ignored, writing all packets from
58           the first input file followed by all packets from the second input
59           file. By default, when -a is not specified, the contents of the
60           input files are merged in chronological order based on each frame’s
61           timestamp.
62
63           Note: when merging, mergecap assumes that packets within a capture
64           file are already in chronological order.
65
66       -F  <file format>
67
68           Sets the file format of the output capture file. Mergecap can write
69           the file in several formats; mergecap -F provides a list of the
70           available output formats. By default this is the pcapng format.
71
72       -h|--help
73
74           Prints the version and options and exits.
75
76       -I  <IDB merge mode>
77
78           Sets the Interface Description Block (IDB) merge mode to use during
79           merging. mergecap -I provides a list of the available IDB merge
80           modes.
81
82           Every input file has one or more IDBs, which describe the
83           interface(s) the capture was performed on originally. This includes
84           encapsulation type, interface name, etc. When mergecap merges
85           multiple input files, it has to merge these IDBs somehow for the
86           new merged output file. This flag controls how that is
87           accomplished. The currently available modes are:
88
89           none: No merging of IDBs is performed, and instead all IDBs are
90           copied to the merged output file.
91
92           all: IDBs are merged only if all input files have the same number
93           of IDBs, and each IDB matches their respective entry in the other
94           files. (Only the IDBs that occur at the beginning of the files,
95           before any packet blocks, are compared. IDBs that occur later in
96           the files are merged with duplicates iff the initial IDBs were
97           merged.) This is the default mode.
98
99           any: Any and all duplicate IDBs are merged into one IDB, regardless
100           of what file they are in.
101
102           Note that an IDB is only considered a matching duplicate if it has
103           the same encapsulation type, name, speed, time precision, comments,
104           description, etc.
105
106       -s  <snaplen>
107
108           Sets the snapshot length to use when writing the data. If the -s
109           flag is used to specify a snapshot length, frames in the input file
110           with more captured data than the specified snapshot length will
111           have only the amount of data specified by the snapshot length
112           written to the output file. This may be useful if the program that
113           is to read the output file cannot handle packets larger than a
114           certain size (for example, the versions of snoop in Solaris 2.5.1
115           and Solaris 2.6 appear to reject Ethernet frames larger than the
116           standard Ethernet MTU, making them incapable of handling gigabit
117           Ethernet captures if jumbo frames were used).
118
119       -v|--version
120
121           Print the version and exit.
122
123       -V
124
125           Causes mergecap to print a number of messages while it’s working.
126
127       -w  <outfile>|-
128
129           Sets the output filename. If the name is '-', stdout will be used.
130           This setting is mandatory.
131

DIAGNOSTIC OPTIONS

133       --log-level <level>
134           Set the active log level. Supported levels in lowest to highest
135           order are "noisy", "debug", "info", "message", "warning",
136           "critical", and "error". Messages at each level and higher will be
137           printed, for example "warning" prints "warning", "critical", and
138           "error" messages and "noisy" prints all messages. Levels are case
139           insensitive.
140
141       --log-fatal <level>
142           Abort the program if any messages are logged at the specified level
143           or higher. For example, "warning" aborts on any "warning",
144           "critical", or "error" messages.
145
146       --log-domains <list>
147           Only print messages for the specified log domains, e.g.
148           "GUI,Epan,sshdump". List of domains must be comma-separated.
149
150       --log-debug <list>
151           Force the specified domains to log at the "debug" level. List of
152           domains must be comma-separated.
153
154       --log-noisy <list>
155           Force the specified domains to log at the "noisy" level. List of
156           domains must be comma-separated.
157
158       --log-file <path>
159           Write log messages and stderr output to the specified file.
160

EXAMPLES

162       To merge two capture files together into a third capture file, in which
163       the last packet of one file arrives 100 seconds before the first packet
164       of another file, use the following sequence of commands.
165
166       First, use:
167
168           capinfos -aeS a.pcap b.pcap
169
170       to determine the start and end times of the two capture files, as
171       seconds since January 1, 1970, 00:00:00 UTC.
172
173       If a.pcap starts at 1009932757 and b.pcap ends at 873660281, then the
174       time adjustment to b.pcap that would make it end 100 seconds before
175       a.pcap begins would be 1009932757 - 873660281 - 100 = 136272376
176       seconds.
177
178       Thus, the next step would be to use:
179
180           editcap -t 136272376 b.pcap b-shifted.pcap
181
182       to generate a version of b.pcap with its time stamps shifted 136272376
183       ahead.
184
185       Then the final step would be to use :
186
187           mergecap -w compare.pcap a.pcap b-shifted.pcap
188
189       to merge a.pcap and the shifted b.pcap into compare.pcap.
190

SEE ALSO

192       pcap(3), wireshark(1), tshark(1), dumpcap(1), editcap(1), text2pcap(1),
193       pcap-filter(7) or tcpdump(8)
194

NOTES

196       Mergecap is based heavily upon editcap by Richard Sharpe
197       <sharpe[AT]ns.aus.com> and Guy Harris <guy[AT]alum.mit.edu>.
198
199       This is the manual page for Mergecap 4.0.8. Mergecap is part of the
200       Wireshark distribution. The latest version of Wireshark can be found at
201       https://www.wireshark.org.
202
203       HTML versions of the Wireshark project man pages are available at
204       https://www.wireshark.org/docs/man-pages.
205

AUTHORS

207       Original Author
208       Scott Renfro <scott[AT]renfro.org>
209
210       Contributors
211       Bill Guyton <guyton[AT]bguyton.com>
212
213
214
215                                  2023-08-31                       MERGECAP(1)
Impressum